This is in response to your letter, dated January 15, 2004, in which you asked for guidance on the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g. Specifically, you state that the Federal Centers for Disease Control and Prevention (CDC) has entered into an agreement with the Center for Autism and Developmental Disabilities Research and Epidemiology (CADDRE) at the University of Pennsylvania for the purpose of performing an autism prevalence study. You further explain that, in order to conduct the study, the study sites across the country have entered into Memorandum of Understandings (MOUs) with their respective State departments of education in order to obtain access to the records of students whom school districts have identified as developmentally disabled. You ask whether such an MOU violates the requirements of FERPA. This Office administers FERPA and provides technical assistance to educational agencies and institutions to ensure compliance with the statute and regulations codified at 34 CFR Part 99.

In general, parents have the right under FERPA to inspect and review their children's education records and to seek to have them amended in certain circumstances. 34 CFR Part 99, Subparts B and C. In addition, an educational agency or institution subject to FERPA may not have a policy or practice of disclosing education records, or non-directory, personally identifiable information from education records, without the written consent of the parent or eligible student, except as provided by law. 34 CFR Part 99, Subpart D. "Education records" are defined as records that are directly related to a student and maintained by an educational agency or institution or by a party acting for the agency or institution. 34 CFR § 99.3 ("Education records"). It is our understanding that the Pennsylvania Department of Education (PDE) obtained the records sought by CADDRE from schools and school districts pursuant to PDE's responsibility under the Individuals with Disability Education Act (IDEA) for ensuring that the Federal legal requirements of IDEA are met. As such, the information requested by CADDRE clearly falls within the definition of "education records" under FERPA.

FERPA applies to "educational agencies and institutions" that receive funds under any program administered by the Secretary of Education. 34 CFR 99.1. Most local public schools and school districts (local educational agencies, or LEAs) are subject to FERPA because they receive Department funds and meet the description of an "educational agency" or "educational institution" provided in § 99.1 of the FERPA regulations. While a State educational agency (SEA) may receive funds from the Department, as a practical matter, FERPA generally would not apply to the records of an SEA. This is because FERPA defines "education records" as information directly related to a "student," which itself is defined as excluding a person who has not been in attendance at the educational agency or institution. 20 U.S.C. § 1232g(a)(4) and (a)(6). Since students generally are not in attendance at an SEA, it follows that FERPA does not generally apply to the SEA's records. (Congress amended FERPA in § 249 of the Improving America's Schools Act of 1994 so that parents have the right to inspect and review education records maintained by an SEA, including records that an SEA creates or receives from local school districts or other sources. See 34 CFR § 99.10(a)(2).)

LEAs and their constituent schools most often disclose education records to SEAs under §§ 99.31(a)(3)(iv) and 99.35 of the FERPA regulations, which permit disclosure without written consent to "authorized representatives of … State and local educational authorities" provided the disclosure is in connection with:

An audit or evaluation of Federal or State supported education programs; or

Protected in a manner that does not permit personal identification of individuals by anyone except the officials listed in 34 CFR 99.31(a)(3); and

Destroyed when no longer needed for the purposes for which it was disclosed.

In this case, we are aware of no exception to the written consent rule other than § 99.31(a)(3) that would permit schools and LEAs to disclose the information to PDE without written parental consent in order for PDE to perform its responsibility of ensuring that the Federal legal requirements of IDEA are met. Accordingly, information disclosed to PDE and other officials listed in 34 CFR § 99.31(a)(3) may not be redisclosed in personally identifiable form, intentionally or otherwise, to anyone other than authorized representatives of PDE and must be destroyed when no longer needed for the audit or evaluation purpose for which it was collected. It should noted be that "disclosure" not only means the transmitting or releasing of information to a third party but encompasses permitting a third party to have access to the information in any manner, including oral, written, or electronic means. 34 CFR § 99.3 ("Disclosure"). Thus, allowing a party that is not an official of the SEA to inspect and review personally identifiable information would constitute a "disclosure" of personally identifiable information under FERPA.

We are aware that some SEAs have entered into agreements with state departments of health or other entities that are grantees of CDC as part of CDC's population-based surveillance projects for children with autism and other developmental disabilities, pursuant to CDC's obligations under Section 102 of the Children's Health Act of 2000 (P.L. 106-310, October 17, 2000). In some cases, the SEA has used an MOU to designate the state health department or other entity as its "authorized representative" for purposes of meeting the requirements of §§ 99.31(a)(3)(iv) and 99.35 of the FERPA regulations, as described above.

Earlier this year, the Department issued guidance regarding whether FERPA permits a State or local educational authority, such as an SEA, to authorize or designate another State agency as its "authorized representative" in order to conduct data matching with the other entity. This memorandum was issued to all Chief State School Officers on January 30, 2003, by former Deputy Secretary William D. Hansen and is available on this Office's website (www.ed.gov/offices/OII/fpco). The Deputy Secretary's memorandum rescinded (effective April 30) previous Department guidance that relied on an expansive interpretation of the term "authorized representative" in § 99.31(a)(3) to support data matching with state labor departments and other non-educational agencies in order to meet Workforce Investment Act and other Federal reporting requirements. It grew out of concern that unlimited discretion to appoint or designate an "authorized representative" for data matching purposes essentially vitiates the specific conditions for nonconsensual disclosure under §§ 99.31(a)(3) and 99.35 and, more generally, FERPA's prohibition on disclosure without written consent. The memo explains that multiple references to "officials" in the statutory text for this exception reflect congressional concern that the "authorized representatives" of a State educational authority (or other official listed in § 99.31(a)(3)) must be under the direct control of that authority, which means an employee, appointed official, or "contractor."

"Contractor" in this sense means outsourcing or using third-parties to provide services that the State educational authority would otherwise provide for itself, in circumstances where internal disclosure would be appropriate under § 99.35 if the State educational authority were providing the service itself, and where the parties have entered into an agreement that establishes the State educational authority's direct control over the contractor with respect to the service provided by the contractor. Any contractor that obtains access to personally identifiable information from education records in these circumstances is bound by the same restrictions on redisclosure and destruction of information that apply to the State educational authority itself under § 99.35, and the State educational authority is responsible for ensuring that its contractor does not redisclose or allow any other party to have access to any personally identifiable information from education records.

In the circumstances you described, CADDRE may not serve as an "authorized representative" of PDE under § 99.31(a)(3) of the FERPA regulations because CADDRE personnel are not employees, appointed officials, or contractors under the direct control of PDE, the State educational authority. That is, PDE may not enter into an MOU or some other type of agreement with CADDRE or some other outside agency to disclose personally identifiable information from education records to CADDRE.

Some educational agencies and institutions have asked whether FERPA would permit them to disclose information to outside researchers under the "study" provision of FERPA. See 20 U.S.C. § 1232g(b)(1)(F). Under FERPA, an educational agency or institution may generally disclose personally identifiable, non-directory information, without obtaining prior written consent, to organizations conducting studies for, or on behalf of, the agency or institution, in order to:

34 CFR § 99.31(a)(6); 20 U.S.C. § 1232g(b)(1)(F). The agency or institution may release information under this provision only if:

(A) the study is conducted in a manner that does not permit personal identification of parents and students by individuals other than representatives of the organization; and

(B) the information is destroyed when no longer needed for the purposes for which the study was conducted.

Id.

As with the FERPA provision for disclosure of information to State and local educational authorities, discussed above, recipients of information from education records under this provision may not redisclose information in personally identifiable form except to officials of the organization conducting the study for which the information was originally disclosed.

Implicit in the "study" exception is the notion that an educational agency or institution has authorized a study. The fact that an outside entity, on its own initiative, conducts a study which may benefit an educational agency or institution, does not transform the study into one done "for or on behalf of" the educational agency or institution.

There are ways in which an educational agency or institution may participate in research such as the surveillance of children with autism and other developmental disabilities without violating FERPA. First, nothing in FERPA prohibits the PDE or an LEA or school from disclosing information in aggregate or other non-personally identifiable form. As noted earlier, FERPA specifically prevents the disclosure of personally identifiable information from education records, without the prior written consent of parents and students under § 99.30, including:

(a) the student's name;
(b) the name of the student's parent or other family member;
(c) the address of the student or student's family;
(d) a personal identifier, such as the student's social security number or student number;
(e) a list of personal characteristics that would make the student's identity easily traceable; or
(f) other information that would make the student's identity easily traceable.

In order to make sure that student-level information is not personally identifiable, in circumstances that can lead to identification of an individual, the disclosing educational agency or institution (the PDE or LEA or school) would need to remove not only name and ID number but also "personal characteristics" and "other information that would make the student's identity easily traceable," which means such factors as physical description (race, sex, appearance, etc.); date and place of birth; religion and national origin; participation in sports, clubs, and other activities; academic performance; employment; disciplinary actions or criminal proceedings, etc. "Other information that would make the student's identity easily traceable" may also be implicated in the release of small numbers of aggregated or statistical information from education records.

Second, nothing in FERPA prohibits school officials from asking parents for their consent in order to disclose personally identifiable information on students to CADDRE officials. The written consent required before an educational agency or institution may disclose personally identifiable, non-directory information from education records should:

(1) specify the records that may be disclosed;
(2) state the purpose of the disclosure; and
(3) identify the party or class of parties to whom the disclosure may be made.

34 CFR § 99.30(b); see 20 U.S.C. § 1232g(b)(2)(A).

If requested, the agency or institution must provide a parent or student with a copy of the records disclosed. 34 CFR § 99.30(c).

I trust that this adequately explains the scope and limitations of FERPA as it relates to the disclosure of personally identifiable information by the PDE, LEAs, and/or schools to CADDRE.

Should you have any further questions, please do not hesitate to contact this Office at the following address and telephone number: